Translate VF network capabilities to port binding

Libvirt's node device driver accumulates and reports information
about host devices. Network capabilities reported by node device
driver for NIC contain information about HW offloads supported
by this NIC.

One of possible features reported by node device driver is
switchdev: a NIC capability to implement VFs similar to actual
HW switch ports (also referred to as SR-IOV OVS hardware offload).
From Neutron perspective, vnic-type should be set to "direct" and
"switchdev" capability should be added to port binding profile to
enable HW offload (there are also configuration steps on compute
hosts to tune NIC config).

This patch was written to automatically translate "switchdev" from
VF network capabilities reported by node device driver to Neutron
port binding profile and allow user to skip manual step that
requires admin privileges.

Other capabilities are also translated: they are not used right
now, but provide visibility and can be utilized later.

Closes-bug: #2020813
Closes-bug: #2008238
Change-Id: I3b17f386325b8f42c0c374f766fb21c520161a59
(cherry picked from commit cef3b5e)
(cherry picked from commit 7e4f45d)
(cherry picked from commit 4fcc8c3)

Author: MrStupnikov

nova/network/neutron.py

@@ -1588,6 +1588,13 @@ def _get_vf_pci_device_profile(self, pci_dev):
                 'pf_mac_address': pf_mac,
                 'vf_num': vf_num,
             })
+
+        # Update port binding capabilities using PCI device's network
+        # capabilities if they exist.
+        pci_net_caps = pci_dev.network_caps
+        if pci_net_caps:
+            vf_profile.update({'capabilities': pci_net_caps})
+
         return vf_profile
 
     def _get_pci_device_profile(self, pci_dev):

nova/objects/pci_device.py

@@ -588,6 +588,13 @@ def mac_address(self):
         """
         return self.extra_info.get('mac_address')
 
+    @property
+    def network_caps(self):
+        """PCI device network capabilities or empty list if not available"""
+        caps_json = self.extra_info.get('capabilities', '{}')
+        caps = jsonutils.loads(caps_json)
+        return caps.get('network', [])
+
 
 @base.NovaObjectRegistry.register
 class PciDeviceList(base.ObjectListBase, base.NovaObject):

nova/tests/fixtures/libvirt_data.py

@@ -2182,6 +2182,7 @@ def fake_kvm_guest():
         <feature name='rxvlan'/>
         <feature name='txvlan'/>
         <feature name='rxhash'/>
+        <feature name='switchdev'/>
         <capability type='80203'/>
       </capability>
     </device>""",  # noqa:E501

nova/tests/unit/network/test_neutron.py

@@ -8144,17 +8144,20 @@ def test__get_vf_pci_device_profile(self):
                        'pf_mac_address': '52:54:00:1e:59:c6',
                        'vf_num': 1,
                    },
+                   'network_caps': ['gso', 'sg', 'tso', 'tx'],
                    'dev_type': obj_fields.PciDeviceType.SRIOV_VF,
                   }
         PciDevice = collections.namedtuple('PciDevice',
                                ['vendor_id', 'product_id', 'address',
                                 'card_serial_number', 'sriov_cap',
-                                'dev_type', 'parent_addr'])
+                                'dev_type', 'parent_addr',
+                                'network_caps'])
         mydev = PciDevice(**pci_dev)
         self.assertEqual(self.api._get_vf_pci_device_profile(mydev),
                          {'pf_mac_address': '52:54:00:1e:59:c6',
                           'vf_num': 1,
-                          'card_serial_number': 'MT2113X00000'})
+                          'card_serial_number': 'MT2113X00000',
+                          'capabilities': ['gso', 'sg', 'tso', 'tx']})
 
     @mock.patch.object(
         neutronapi.API, '_get_vf_pci_device_profile',

nova/tests/unit/objects/test_pci_device.py

@@ -171,6 +171,16 @@ def test_pci_device_extra_info_card_serial_number(self):
         self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
         self.assertEqual(self.pci_device.card_serial_number, '42')
 
+    def test_pci_device_extra_info_network_capabilities(self):
+        self.dev_dict = copy.copy(dev_dict)
+        self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
+        self.assertEqual(self.pci_device.network_caps, [])
+
+        self.dev_dict = copy.copy(dev_dict)
+        self.dev_dict['capabilities'] = {'network': ['sg', 'tso', 'tx']}
+        self.pci_device = pci_device.PciDevice.create(None, self.dev_dict)
+        self.assertEqual(self.pci_device.network_caps, ['sg', 'tso', 'tx'])
+
     def test_update_device(self):
         self.pci_device = pci_device.PciDevice.create(None, dev_dict)
         self.pci_device.obj_reset_changes()

nova/tests/unit/virt/libvirt/test_host.py

@@ -1337,7 +1337,7 @@ def test_get_pcidev_info(self):
             "parent_ifname": "ens1",
             "capabilities": {
                 "network": ["rx", "tx", "sg", "tso", "gso", "gro", "rxvlan",
-                            "txvlan", "rxhash"],
+                            "txvlan", "rxhash", "switchdev"],
                 "sriov": {"pf_mac_address": "52:54:00:1e:59:c6",
                           "vf_num": 1},
                 # Should be obtained from the parent PF in this case.

releasenotes/notes/translate_vf_network_capabilities_to_port_binding-48abbfe0ce2923cf.yaml

@@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    Previously ``switchdev`` capabilities should be configured manually by a
+    user with admin privileges using port's binding profile. This blocked
+    regular users from managing ports with Open vSwitch hardware offloading
+    as providing write access to a port's binding profile to non-admin users
+    introduces security risks. For example, a binding profile may contain a
+    ``pci_slot`` definition, which denotes the host PCI address of the
+    device attached to the VM. A malicious user can use this parameter to
+    passthrough any host device to a guest, so it is impossible to provide
+    write access to a binding profile to regular users in many scenarios.
+
+    This patch fixes this situation by translating VF capabilities reported
+    by Libvirt to Neutron port binding profiles. Other VF capabilities are
+    translated as well for possible future use.